[TriLUG] having trouble writing firewall rules for openvpn

Bill Farrow bill at arrowsreach.com
Tue May 8 09:05:39 EDT 2012


On Mon, May 7, 2012 at 10:50 PM, Joseph Mack NA3T <jmack at wm7d.net> wrote:
> #default INPUT policy
> iptables -P INPUT DROP  #I have to comment this out to get an openvpn
>
> iptables -A INPUT -p udp -j LOG --log-prefix "UDP"
> iptables -A INPUT -p tcp -j LOG --log-prefix "TCP"
> iptables -A INPUT -i eth2 -j LOG --log-prefix "eth2"
> iptables -A INPUT -i tun0 -j LOG --log-prefix "tun0"
> iptables -A INPUT -p udp --dport 1194 -j ACCEPT
>
> I don't see any entries in /var/log/messages. The only way I get a
> connection if if the default INPUT policy DROP rule is commented out. I
> assume the rule accepting udp packets to port 1194 is not being triggered.
> An INPUT rule ACCEPTing port 22 doesn't accept connections either.
>
> I'm no iptables expert. Can anyone see what I'm doing that's wrong? To get
> an ssh connection client->server I have to remove the default DROP policy.

Joe,
So it looks like you are not matching the required packets, which is
really strange, since your LOG rules for tcp and udp should be getting
run.

Double check the order of the rules in your INPUT chain:
  iptables -L INPUT

If they are out of order, try inserting rules:
iptables -I INPUT 1 -p udp -j LOG --log-prefix "UDP"
iptables -I INPUT 2 -p tcp -j LOG --log-prefix "TCP"

If you are running OpenWRT or some other reduced distro, make sure you
have the iptables logging module installed and running:
lsmod | grep ipt_LOG

Install it on OpenWRT if required:
ipkg install iptables-mod-extra

Bill



More information about the TriLUG mailing list